Last post May 21, 2011 10:11 AM by shahed.kazi
May 20, 2011 08:25 AM|1Plus1Is3|LINK
we have a forum site in which we want to allow our users to inject html content which should not be rendered on the site but it should just disply as a text on the page with tags.
On the web every one is saying that turn off ValidateRequest flag and use htmlEncoding. i tried that and that works fine in my site. But msdn articale
http://msdn.microsoft.com/en-us/library/a2a4yykt%28v=VS.90%29.aspx says that this is not recommended.
1. I want to know like what can be the recomended implementation of this feature
2. What are the impacts if I implement this with htmlEncode and ValidateRequest="False"
Thanks in advance
May 20, 2011 01:23 PM|Dhaval Tawar|LINK
Server.HtmlEncode("<script>"); will result <script>;
Actully when you allow use to add html code and you do not encode it. It will not show it as it is.
It will act as a part of your page html. That means that script will be executed if not encoded.
May 20, 2011 03:22 PM|roopeshreddy|LINK
Microsoft won't recommend it because, user's can inject malicious scripts. But if you know, it won't happen to ur site, you can go ahead and turn of the ValidationRequest.
Server.HtmlEncode() is awesome method, which prevents executing the scripts.
Hope it helps u...
May 21, 2011 10:11 AM|shahed.kazi|LINK
When retrieving the data, you should Decode the data using Server.HtmlDecode("html data").